Segmentation fault sorting Float64Array in node 0.6.19, not in 0.7.10-pre

[umbricola]

Node 0.6.19 crashes on me when I try to sort a big enough Float64Array:

$ uname -a; node --version; node -e 'c = 149; b = new ArrayBuffer(8 * c); a = new Float64Array(b); Array.prototype.sort.apply(a, [function (x, y) { return x - y; }]); 0'
Linux [redacted] 3.2.0-24-generic #39-Ubuntu SMP Mon May 21 16:52:17 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
v0.6.19
Segmentation fault (core dumped)

valgrind says v8 is trying to dereference a small integer as if it were a pointer:

==10059== Invalid read of size 8
==10059==    at 0x668756: v8::internal::JSObject::PrepareElementsForSort(unsigned int) (in /usr/bin/nodejs)
==10059==    by 0x2C46A5DEA341: ???
[snip]
==10059==  Address 0x7464 is not stack'd, malloc'd or (recently) free'd

It appears any c >= 149 causes the same crash trying to reach through (some_type *)0x7464, while smaller values of c do not.

This also happened in 0.6.18, whereas my build of 0.7.10-pre, commit f624413, does not crash on this input.

[bnoordhuis]

It's a bug - maybe 'shortcoming' is a better word - in the V8 version that ships with 0.6.x, it doesn't support sorting external arrays (what typed arrays are). You're hitting this assert.